Feature Request : Ability to choose soft wildcard generation (ex : passphrase based) instead of random characters

sandstorm-io / sandstorm

Sandstorm is a self-hostable web productivity suite. It's implemented as a security-hardened web app package manager.

https://sandstorm.io

Other

6.72k stars 705 forks source link

Feature Request : Ability to choose soft wildcard generation (ex : passphrase based) instead of random characters #1531

Closed schweizerbolzonello closed 2 months ago

schweizerbolzonello commented 8 years ago

Hello, I'd like to have the ability to make Sandstorm (I'm "on premises") generate "soft" wildcards instead of random wildcards :

For example, https://xjdkrzinuhexspafa4r6.my.sand.storm would be replaced by https://starboard-contagion-rehires-fifty.my.sand.storm

1) Seems less suspicious in an email or to non technical end-users (yes, I know there are CNAMEs but I would want the process of "publishing" to be the most automated possible).

2) Hard URLs like the ones generated actually could trigger some heuristic enterprise proxies and/or antivirus who scan Internet traffic (could be some Cryptolocker-variants traffic for example)

kpreid commented 8 years ago

Reassuring non-technical users by using a random selection of potentially-unfortunately-meaningful English words seems hazardous.

paulproteus commented 8 years ago

I, for one, am a big fan of reassuring non-technical users by choosing a random selection of these words.

https://stackoverflow.com/questions/7621341/how-can-i-programmatically-generate-heroku-like-subdomain-names discusses one way to (hopefully?) minimize the chance of them having unfortunate meaning, which is to use calm nature things, like Heroku, which is a strategy I personally love. Heroku does a combination - some words, some numbers - we'd need to see how to choose something that provides suitable entropy.

kentonv commented 8 years ago

Hmm, I think I'm -1 on this:

The randomly-generated subdomains generally aren't meant to be seen by users anyway. The one case where they are seen is when doing static publishing but using the default-assigned host rather than mapping your own. I think for this case what we want is better options for choosing a custom host; we should have a feature where users can use the powerbox to choose a subdomain with a pleasing name.
I'm skeptical about "enterprise proxies" blocking random-looking URLs. How do they know they are random-looking? Why would they block them? I'd love to know more about the details here, such as exactly which proxies do this and why. I would then want to design a solution specifically for the problem.